DROWN Attack against SSL

DROWN is a vulnerability that affects HTTPS and other services that rely on SSL and TLS. Servers are vulnerable if they support SSLv2.

All systems behind RedShield are not vulnerable to DROWN as the RedShield cloud does not support SSLv2 or SSLv2 ciphers.

However it is important to note that a system behind RedShield that does not support SSLv2 can be vulnerable if it uses the same certificate that is used on any other server that allows SSLv2 connections, including other protocols (mail, vpn etc).

If companies reuse the same certificate and key on their web and email servers. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server.

RedShield customers should ensure they are not reusing SSL certificates across services that are behind RedShielded and services that are not behind RedShield